Bruce Schneier is the top candidate for the popular (ridiculous, but
popular) sobriquet of "security rock star".  His analyses of the
implications of security have continually widened in scope over a
number of year, bringing us to his latest book, "Liars & Outliers;
Enabling the Trust That Society Needs to Thrive." The main title
provides the framing that makes up the structure of the book; trust
decisions are posed as choices between "cooperating with" or
"defecting from" relevant social norms. The subtitle describes the
real subject of the book; assessing the need and possibilities for
trust in society. This is not a polemic, however; the terminologies
are used much more descriptively than prescriptively. Even more
important, the text is careful to reiterate (several times) that
"defecting" from a group norm is not always wrong, and avoiding
inappropriate trust -- at least most of the time -- is an essential
part of a working trust system.

The very first thing Schneier takes up in the book is establishing
that in our society, we all trust strangers in various ways all the
time. This is most easily demonstrated in commercial transactions,
where we expect that by and large we can trust merchants, service
people, and even passers-by, largely without relying on any kind of
security.  This is a complicated subject in its own right, as the
author establishes up front but fully fleshes out over the remainder
of the text. The value of trust is non-transitive and situational, and
has to develop accordingly. As Schneier claims, its existence defines
civilization itself.

The meat of the book opens with a survey of research results relevant
to trust issues from numerous disparate fields, as wide as sociology,
economics, evolution, neuroscience, game theory, and several others.
This information forms the raw material for understanding how trust
actually works in real situations, as well as the mechanisms that
encourage and discourage it.

The historical, cognitive, social and societal complexities of trust
are presented in the section on research results. These complexities
provide the gist for Schneier to develop his primary thesis, namely
that there are four basic types of societal pressure that encourage
trust or at least cooperation. The terms are, as I mentioned, used
descriptively rather than prescriptively; in a number of cases, a
particular pressure could reasonably be placed into different
categories. Schneier refers to the categories as "moral pressure,"
"reputational pressure," "institutional pressure," and "security
systems." One important thesis in the book is that each successive
system helps the previous ones scale up. The obvious hope is that
overall, the system will work for a planet of over 7 billion people.

The "moral pressure" category extends well beyond what would
necessarily be associated with the category of morals. It covers
anything that could be construed in terms of a personal sense of right
and wrong. Some example concepts include fairness and loyalty. This
works really well for trusting people you know well enough to judge
their intentions, which limits it to a circle of a few dozen.

Where moral pressure is entirely internal, "reputational pressure" is
primarily external. For most people, having others think well of them
is a motivation in its own right, but it is strongly supported by the
negative consequences of being considered untrustworthy. In business,
a poor reputation can cause customers to go elsewhere, or suppliers to
demand expensive guaranteed payment terms. Depending on the
characteristics of the particular grapevine, this can be be effective
for quite sizable groups, especially when the group has good internal
communication. Some people, particularly those with antipathy for
government structures, believe that reputational systems can be built
large enough to take care of most of society's trust issues (if they
believe that "society" is a meaningful term). But aside from the fact
that we have no proof such a system could be built, Schneier points
out several limitations to reputation even at small scales: they can
can easily be wrong, and the value of reputation is variable. Most
important, scaling up a reputational system raises the value of
attacking it.

Defending a reputational system is getting into a different realm of
trust. In the corresponding section of the book, Schneier takes us
into situations where we're looking to trust people even if they don't
want to do what we want them to. This is what Schneier calls
"institutional pressure" and takes us from creating rules and laws
into creating institutions to administrate them. Once we start taking
measures specifically to apply those institutional pressures, we're
into the realm where Schneier finally starts using the word
"security."

At the larger scales, the number of things that can go wrong
increases. The dilemmas become constantly more complicated as the
number of competing interests does. Handling that problem is something
we do at multiple layers: i.e., by delegation. Delegation gives us a
way to get a handle on the complexity of the social mechanisms
themselves, but still leaves a variety of conflicts of interest so
vast that we can't hope to get a solid understanding of it directly.

In the end, Schneier concludes (as he has been wont to do in the past)
that he has no silver bullet. Indeed, he has been saying for years,
"security is a process, not a product." Trust, as an essential
ingredient to our personal safety, is not something we can get correct
all the time, but as long as we can keep it at a reasonable level,
society can function fairly well. One implication of this is that, in
an era of scaling-up contacts, it is to our advantage to encourage
expanding definitions of "society" itself.

This book is a very timely analysis of a resource on which society
depends. Schneier says that his goal is to provide a framework within
which to view that resource, but really the book goes much further,
demonstrating both the importance of that resource and the way in
which we are already using -- and promoting -- that resource every
day.